Down the Security Rabbithole Podcast #DtSR with Los and Tuma talking all things #cybersecurity

DtSR ImageThis week’s #DtSR Podcast featured Raf Los and guest Shawn Tuma talking about all things cybersecurity. Check out more of what was covered and listen to the podcast here!

Check out some of the past episodes with Tuma as a guest.

 

Share on social media and join in the discussion!

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Security Weekly guest Shawn Tuma discusses “what is reasonable cybersecurity?”

Share on social media and join in the discussion!

LinkedIn Post

 

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

What is “reasonable cybersecurity” and how do courts view it? (SecureWorld interviews)

What is “reasonable cybersecurity” and how do courts view “reasonable cybersecurity”?

See KnowB4’s discussion of these interviews

These are two excellent questions that I was asked and I answered, as succinctly as I could, in two short interviews with SecureWorld. Tell me what you think about my answers.

What Is Reasonable Cybersecurity? – SecureWorld article

How Courts & Attorneys View ‘Reasonable Cybersecurity’ in 2018 – SecureWorld article

Here are the videos.

 

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Uber CISO’s Testimony Clarifies Payment to Hackers was Not Legitimate Use of Bug Bounty Program

As bits of information about the Uber data breach have trickled out, including the purported payment through a bug bounty program, I have been concerned about the implications on legitimate corporate bug bounty programs. My concerns grew when I read the New York Times article, Inside Uber’s $100,000 Payment to a Hacker, and the Fallout

The February 6, 2018, testimony by John Flynn, Uber’s Chief Information Security Officer, makes me feel better because it finally made clear (to me, anyway) that this was not a legitimate bug bounty program situation (see full written testimony):

As you know, Uber paid the intruders $100,000 through HackerOne and our bug bounty program. Our primary goal in paying the intruders was to protect our consumers’ data. This was not done in a way that is consistent with the way our bounty program normally operates, however. In my view, the key distinction regarding this incident is that the intruders not only found a weakness, they also exploited the vulnerability in a malicious fashion to access and download data.

***

We recognize that the bug bounty program is not an appropriate vehicle for dealing with intruders who seek to extort funds from the company. The approach that these intruders took was separate and distinct from those of the researchers in the security community for whom bug bounty programs are designed. While the use of the bug bounty program assisted in the effort to gain attribution and, ultimately, assurances that our users’ data were secure, at the end of the day, these intruders were fundamentally different from legitimate bug bounty recipients.

When dealing with something like this, in the world of data breach reporting and notification, details, motive, and the order of events matter. It appears that Uber attempted to take an existing incident (that was likely a data breach requiring reporting and notification) and mitigate it by running it through its bug bounty program in an effort to de-breach it, so to speak. While this was a creative approach and one that could raise issues about other mitigation efforts that companies may try for dealing with incidents, such discussions are beyond the scope of this post.

What is important, to me anyway, is that this was not a legitimate use of Uber’s bug bounty program that is now being second-guessed. I think that should help corporate security and legal professionals sleep a little better.

In Flynn’s testimony, he does an excellent job of explaining bug bounty programs and, specifically, Uber’s bug bounty program and the success it has had since implementation. He also explains Uber’s incident response process in this particular situation and offers insight into just how quickly an IR team must act — something everyone should understand. I strongly encourage anyone interested to read his full testimony.

See Uber: ‘No justification’ for covering up data breach

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

3 Legal Points for InfoSec Teams to Consider Before an Incident

secureworldAs a teaser to my presentation at SecureWorld – Dallas last week, I did a brief interview with SecureWorld and talked about three of the points I would make in my lunch keynote, The Legal Case for Cybersecurity. If you’re going to SecureWorld – Denver next week, join me for the lunch keynote on Thursday (11/2) as I will again be making The Legal Case for Cybersecurity.

In the SecureWorld article, Why InfoSec Teams Need to Think with a ‘Legal’ Mind, Before an Incident, we discuss these three points:

  1. There are three general types of “cyber laws” that infosec needs to understand;
  2. Sadly, far too many companies do not take cybersecurity seriously until after they have had a significant incident; and
  3. Companies’ need for implementing and continuously maturing a cyber risk management program (such as my CyberGard).